LOGBOOK

HELP

Quiz Entry - updated: 2026.05.31

What is the role of the PERT distribution and Monte-Carlo simulation in computing a "good" cyber risk number?

PERT turns expert estimates (min, most-likely, max) into a smooth probability distribution. Monte-Carlo then samples thousands of combinations to produce a full risk distribution, not a single point estimate.

The pipeline (4 steps in the FAIR flow):

  1. Scenarios — define the risks ("[Threat] impacts [asset] via [method], causing [effect]").
  2. FAIR factors — break down into LEF, PL, SL, etc.
  3. Expert estimation → PERT — for each factor, experts give Min / Most-Likely / Max. PERT (a beta-like distribution) shapes this into a probability curve.
  4. Monte-Carlo simulation — draw 10 000+ random samples, multiply LEF × LM each time, and observe the resulting distribution.

Why it's better than a point estimate:

  • A single "CHF 200k expected loss" hides the worst case — what's the 90th percentile? 99th?
  • Output charts include an Exceedance Probability Curve (probability of loss ≥ X) and Loss Exceedance Curve — these are what risk-appetite decisions are actually made on.
  • It turns "expert gut feel" into a defensible, transparent number.

Tip: The open-source pyfair library (pip install pyfair) implements this end-to-end — useful if you want to play with the simulation yourself.

From Quiz: ISF / Risk Management | Updated: May 31, 2026